As we’ve written before, when employees use personal devices at work, it can create a number of tricky legal concerns for businesses. Here’s one compliance issue a recent survey says many firms are struggling with:
Writing a BYOD policy that offers enough privacy protect to comply with the law.
There are many laws that govern how certain types of data must be handled. For example, the Health Insurance Portability and Accountability Act (HIPAA) protects health-related information.
On top of those laws, customers can also try to sue an organization if their personal data is compromised and then misused — for example, to commit identity theft. And there’s also a risk that employees might claim their privacy is violated if using a personal device at work gives their employer access to too much personal information.
Furthermore, there are also laws that require companies to have access to and store certain information. The Dodd-Frank Act, for example, requires some financial companies to retrieve and review employee communication records. And electronic discovery rules require companies to hang on to all relevant electronic evidence if they’re going to be involved in a court battle.
It’s important that policies take those risks into account so the company can avoid a potential legal mess in the future. But unfortunately, a lot of BYOD policies don’t offer enough protection, according to a recent survey conducted by TEKsystems.
More policy control needed
Among the 1,500 IT leaders surveyed, 35% aren’t confident their organization’s BYOD policies can comply with those rules and regulations. In addition, 25% of the 2,000 IT staff members said the same thing.
Overall, a lot IT pros are worried that BYOD might expose their company’s data. Half of the survey respondents believe that at least 25% of the company’s information is at risk.
The problem, according to TEKsystems is that in many cases, organizations are trying to respond quickly to employee demands for BYOD programs. The end result is often that the company starts allowing people to work on personal devices before giving IT and other departments a chance to think of ways to contain all of the possible risks.
Experts recommend taking a step back and being sure the organization is ready for BYOD. For help, see our BYOD policy template.